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TECHNICAL FIELD 



The invention concerns generally the technology of arranging the transmission of 
various types of packets between computers that are coupled to a packet-switched 
15 communications network. Especially the invention provides an answer to the 
question, how security and broadcasting capability can be simultaneously accounted 
for in such a packet-switched communications network. 



20 BACKGROUND OF THE INVENTION 

The Internet Protocol, or IP for short, is a widely used protocol that defines the 
structure and handling of so-called IP packets in packet-switched communications 
networks between computers. An IP packet consists of a header and a payload part, 
o 25 of which the header includes information that specifies the intended way of 
handling the packet while the payload part contains some (hopefully) useful payload 
data. Important parts of the IP packet header are the source and destination 
addresses that specify, where did the packet originate from and who is the intended 
recipient. 

4 30 

J According to IP, it is possible to transmit so-called broadcast packets where a 

broadcast address of a network segment is used as the destination address. Such 
packets are meant to reach every computer that belongs to the network segment in 
r question. Typical users of broadcast packets are instant messaging protocols, some 

- 35 protocols that are used for detecting whether there are peer nodes present in the 
network segment, and games. The essential details of using broadcast packets are 
available to the public in the document RFC 919, published in October 1984 by the 
Internet Society and IETF, where RFC comes from Request For Comments and 
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IETF is Internet Engineering Task Force. Said document is incorporated herein by 
reference. 

On the other hand a known feature of packet-switched computer networks is the 
5 constantly growing need for security. At the priority date of this patent application 
the de facto standard of securing IP-based communications is the IPsec (Internet 
Protocol security) protocol suite, a central concept of which is the SA (Security 
Association). An SA is a simplex logical "connection" that affords security services 
to the traffic carried by it. Setting up an SA invariably involves authentication of the 
10 communicating parties. As already the title suggests, an SA involves encryption on 
a level that provides good secrecy. 

Problems arise if one tries to combine the concepts of network broadcasting and 
IPsec-based security. The broadcast address of a network segment does not identify 

15 anything that could be authenticated in the sense that setting up an SA would 
require. As a direct consequence it is impossible to set up an SA for the 
transmission of broadcast packets as they are presently known, which is another 
way of saying that IPsec-based security cannot be provided for the transmission of 
broadcast packets. In many security-conscious networks the use of IPsec is 

20 mandatory, which means that applications exploiting broadcast packets fail to 
operate over such networks. 
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SUMMARY OF THE INVENTION 



It is an objective of the present invention to provide security and broadcast packet 
transmission capability simultaneously in a packet-switched communications 
network between computers. In more detail, it is an objective of the invention to 
provide methods, arrangements and software program products for securely 
*.s 30 transmitting and receiving broadcast type packets over such a network. A further 
**% objective of the invention is to ensure the secure transmission of broadcast type 

o packets to and from mobile wireless terminals, as well as wired terminals making 

Zl connections with a network segment in question through an arbitrary arrangement 

of insecure networks in between. 



The objectives of the invention are achieved by conveying all broadcast packets that 
should be sent over IPsec-protected connections through a gateway that acts as a 
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broadcast relaying station: it encapsulates and forwards the broadcast packets to the 
appropriate IPsec-protected connections. 

According to a first aspect of the invention there is provided a method for handling 
a broadcast packet in a gateway computer that has an IPsec-protected connection to 
a part of a logical network segment within which the broadcast packet should be 
distributed. The IPsec protection specifies, what kinds of packets are acceptable for 
transmission over the IPsec-protected connection. The characteristic features of 
such a method are recited in the corresponding independent method claim. 



According to a second aspect of the invention there is provided a method for 
transmitting a broadcast packet from a host computer, which host computer is part 
of a certain logical network segment within which the broadcast packet should be 
distributed and has an IPsec-protected connection to another part of the logical 
15 network segment. The IPsec protection specifies, what kinds of packets are 
acceptable for transmission over the IPsec-protected connection. The characteristic 
features of such a method are recited in the corresponding independent method 
claim. 

20 According to a third aspect of the invention there is provided a method for 
conveying a broadcast packet from a first part of a logical network segment, within 
which the broadcast packet should be distributed, to a second part of the same 
logical network segment that has an IPsec-protected connection to the first part. The 
IPsec protection specifies, what kinds of packets are acceptable for transmission 
o 25 over the IPsec-protected connection. The characteristic features of such a method 
are recited in the corresponding independent method claim. 



According to a fourth aspect of the invention there is provided a gateway computer 
for offering another computer device an IPsec-protected connection to and from a 
30 logical network segment within which the distribution of broadcast packets is 
allowable. The IPsec protection is arranged to specify, what kinds of packets are 
acceptable for transmission over an IPsec-protected connection. The characteristic 
features of such a gateway computer are recited in the corresponding independent 
device claim. 



According to a fifth aspect of the invention there is provided a host computer, 
comprising means for establishing an IPsec-protected connection to and from a 
gateway computer of a logical network segment within which the distribution of 



broadcast packets is allowable. The IPsec protection is arranged to specify, what 
kinds of packets are acceptable for transmission over the IPsec-protected 
connection. The characteristic features of such a host computer are recited in the 
corresponding independent device claim. 

According to further aspects of the invention there are provided a computer 
program product comprising a computer readable medium; a computer program 
element; a computer program element embodied on a computer readable medium; a 
computer readable medium, having a program recorded thereon; a computer 
program product directly loadable into the internal memory of a digital computer, 
comprising software code portions; as well as a computer program product stored 
on a computer usable medium. The characteristic features of these aspects of the 
invention involve making a computer implement a method according to some of the 
method aspects recited above. 

Various embodiments of the invention are described in the depending claims. 
BRIEF DESCRIPTION OF DRAWINGS 

The novel features which are considered as characteristic of the invention are set 
forth in particular in the appended claims. The invention itself, however, both as to 
its construction and its method of operation, together with additional objects and 
advantages thereof, will be best understood from the following description of 
specific embodiments when read in connection with the accompanying drawings. 

Fig.l illustrates how physically differently located devices may belong to a 

logical network segment, 
fig. 2 illustrates a basic case of broadcast relaying according to an embodiment 

of the invention, 

fig. 3 illustrates broadcast relaying to a distant host according to an 

embodiment of the invention, 
fig. 4 illustrates the encapsulation of a broadcast packet for broadcast relaying 

according to an embodiment of the invention, 
fig. 5 illustrates broadcast relaying when the broadcast packet originates from a 

host with an IPsec-protected connection, 
fig. 6 illustrates the composition of a logical network segment from physically 

separate subnets, 



illustrates a combination of several cases where the invention can be 
applied, 

illustrates one instance of broadcast relaying in the arrangement of fig. 7, 
illustrates a method according to an embodiment of the invention, 
illustrates a method according to another embodiment of the invention, 
illustrates chaining of IPsec-protected connections, 
illustrates the case of several simultaeously active SAs between two 
communicating devices, and 

illustrates a device implementation according to an embodiment of the 
invention. 

The exemplary embodiments of the invention presented in this patent application 
are not to be interpreted to pose limitations to the applicability of the appended 
claims. The verb "to comprise " is used in this patent application as an open 
limitation that does not exclude the existence of also unrecited features. The 
features recited in depending claims are mutually freely combinable unless 
otherwise explicitly stated. 

DETAILED DESCRIPTION OF THE INVENTION 

Fig. 1 illustrates an arrangement where a logical network segment 101 consists of 
two physical network parts, which are a wired part 102 and a wireless part 103. Two 
exemplary hosts 111 and 112 are shown within the wired part 102; the actual 
number of hosts within the wired part 102 can be anything between only few and 
several thousands. Similarly two exemplary hosts 121 and 122 are shown as 
operating within the wireless part 103; also similarly the number of hosts within the 
wireless part may vary considerably and does not have any specific importance. 
..Between the wired part 102 and the wireless part 103 there is a gateway 131, which 
for the purposes of the following description is specifically designated as a security 
gateway. Physically it belongs both to the wired part 102 and the wireless part 103. 
Between the logical network segment 101 and an outside wired network 104 there is 
a router 132, which we designate as a security router and which still belongs to the 
wired part 102. 

As a practical example we may think that the logical network segment 101 is the 
LAN (Local Area Network) of a company. The wired hosts 111 and 112 are 
conventional desktop computers with a cable connection to the company LAN. The 
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security gateway 131 is located in a conference room at the company's premises, 
where wireless access to the company LAN is offered to mobile workstations 121 
and 122. The security router 132 implements a connection between the company 
LAN 101 and the Internet 104. 

5 

Fig. 1 illustrates additionally how a remote "road warrior" host 141 has been 
coupled to the logical network segment 101 through the outside wired network 104. 
Physically the remote host 141 may be located anywhere in the world; one of the 
tasks of the security router 132 is to mask this fact so that from the viewpoint of the 
10 other devices of the logical network segment 101 the remote host appears to be 
within the same network segment. The virtual apperance of the remote workstation 
141 within the logical network segment 101 has been illustrated with dotted lines 
and reference designator 141'. 

15 The wired part 102 of the logical network segment 101 is considered to be 
inherently safe, which means e.g. that hosts 111 and 112 may communicate with 
each other through the wired part 102 without using IPsec or other security 
measures comparable thereto. In clear contrast thereto the wireless part 103 is not 
inherently safe, because eavesdropping on wireless communications is relatively 
20 easy and because any arbitrary visiting host, friendly or hostile, may attempt 
registering into the wireless part 103. Also the outside wired network 104 is 
assumed to be unsafe. The word "security" in the designations of the gateway 131 
and the router 132 emphasizes their responsibility for providing security to 
connections between "inside" hosts within the wired part 102 and "outside" hosts 
25 within either the wireless part 103 or the outside wired network 104. Using IPsec 
implies that SAs must be set up between each of the wireless hosts 121 and 122 and 
the security gateway 131, as well as between the remote host 141 and the security 
router 132. 

30 For the purpose of providing a good understanding of the associated problems, we 
may briefly recapitulate the process of handling the IP addresses of the "dubious" 
hosts 121, 122 and 141. The security gateway 131 (or a separate address server 
coupled thereto) keeps a stock of dynamically allocatable IP addresses that are 
considered to belong to the internal address space of the logical network segment 
35 101. When a wireless host registers into the wireless part 103 of the logical network 
J segment 101, it gets one of these dynamically allocatable internal IP addresses for 
identifying itself during its stay. An ARP (Address Resolution Protocol) proxy 
functionality at the security gateway 131 takes care of handling any ARP queries 
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from other hosts in the logical network segment 101: whenever there comes an ARP 
query that aims at finding out the machine address that corresponds to a certain IP 
address allocated to a wireless host, the security gateway 131 responds to the query 
by giving its own machine address. ARP is discussed in detail e.g. in the document 
5 Plummer, D.: "An Ethernet Address Resolution Protocol - or - Converting Network 
Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet 
Hardware", RFC 826, Symbolics, Inc., November 1982. 

The situation is similar if the remote host 141 would contact the logical network 

10 segment 101 through a telephone network, by making a direct call to a modem bank 
that constitutes a part of a security router. Also in that case the remote host gets an 
internal IP address for temporary use, and the security router takes care of the ARP 
proxy functionality. The arrangement of fig. 1 resembles more a situation where the 
remote host 141 calls the modem bank of a local ISP (Internet Service Provider) at 

15 its current location and gets a temporarily allocated IP address from a stock of 
dynamically allocatable IP addresses kept by the ISP. For the purposes of making a 
connection to the security router 132 and applying IPsec-based security to the 
communication over such a connection the remote host uses this "external" IP 
address, where the address being external means that it does not belong to the 

20 internal address space of the logical network segment 101. Hosts within the logical 
network segment 101 would not recognize such an IP address as qualified for secure 
transmissions, so the security router 132 additionally allocates a dynamically 
allocatable internal IP address for the remote host. This "virtual" IP address is 
communicated to the remote host, which uses its parallelly with the "real" IP 

25 address it received from the local ISP. Using virtual IP addresses is described in 
detail in an Internet Draft document "draft-ietf-ipsec-dhcp-13.txt", published in 
2001 by the Internet Society, available at http://www.ietf.org/shadow.html and 
incorporated herein by reference. 

30 Entrusting a router with the task of managing secure communications requires the 
router to have rather advanced capabilities. An alternative is to use a simpler router 
and to connect a security gateway to the wired part 102 of the logical network 
segment 101. Such a security gateway would act as the interface between secured 
communications towards the outside network 104 and inherently secure 

35 communications within the wired part 102. 



Let us now consider what happens when one of the hosts 111 and 112 within the 
wired part 102 of the logical network segment 101 sends out a broadcast packet. All 
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other hosts within the wired part 102 receive the broadcast packet without problems. 
Also the security gateway 131 and the security router 132 receive the broadcast 
packet. However, each IPsec-secured connection - from the security gateway 131 to 
the wireless host 121, from the security gateway 131 to the wireless host 122 and 
5 from the security router 132 to the remote host 141 - is rigorously bound to the 
dynamically allocated IP address of the host in question and requires an SA for the 
transmission of packets. The network broadcast address in the broadcast packet 
cannot be used for identifying anything that could be authenticated, so without the 
measures of the present invention the broadcast packet that originated within the 
10 wired part 102 would not propagate to any of the wireless hosts 121 and 122 or the 
remote host 141. 

For the sake of general interest we may also consider, what would happen if the 
security requirement on the wireless part 103 would be loosened to the extent of not 
15 requiring the use of IPsec. In that case the gateway 13 1 would just "shout out loud" 
the broadcast packet as it is, i.e. relay it from the wired medium to the wireless 
medium, and every wireless host in the wireless part 103 would receive it 
essentially simultaneously with their wired counterparts in the wired part 102. A 
corresponding general relaying function is not possible at the security router 132, 
20 because broadcast packets are only meant to propagate through the logical network 
segment 101 and relaying them out into the outside wired network 104 would 
violate this principle. 

Fig. 2 illustrates the principle of secure broadcast relaying according to an 
25 embodiment of the present invention. The fact that certain wireless hosts are present 
in a wireless part of a packet-switched network already requires them to be on-line. 
In other words we may assume that at a certain time instant prior to the appearance 
of a broadcast packet there must have occurred the setting up of a security 
association between each wireless host and the security gateway, which security 
J 30 association has not yet expired when the broadcast packet comes. In fig. 2 step 201 
represents setting up an SA between the security gateway 131 and a first wireless 
host 121, and step 202 represents setting up an SA between the security gateway 
131 and a second wireless host 122. These SAs are still alive when at step 203 a 
f ^ wired host 111 decides to transmit a broadcast packet through the logical network 

«Ys 35 segment. At step 204 the security gateway 131 receives the broadcast packet, 
c \ j duplicates it into as many copies as there SA-connected wireless hosts, and 

encapsulates each copy appropriately so that it can be sent over the SA for which it 
was created. Transmitting the encapsulated copies of the broadcast packet to the 
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wireless hosts may be designated as relaying, although it is not the exact copy of 
what the security gateway received but an encapsulated version thereof that is 
transmitted further. Step 205 represents relaying to the first wireless host 121 and 
step 206 represents relaying to the second wireless host 122. 

5 

Steps 201 and 202, i.e. the setting up of SAs that stand waiting for something to be 
transmitted from the gateway 13 1 to the wireless hosts, usually take place as a part 
of normal network traffic. It is possible, however, to make either the wireless hosts 
or the gateway or both execute a dedicated keepalive process the purpose of which 
10 is to ensure that an SA from the gateway to each wireless host always exists, if only 
the wireless host in question is otherwise in condition for standing by, waiting for 
transmissions from the gateway to occur. 

Fig. 3 illustrates a corresponding situation regarding a case where a distant host 
15 designated as the road warrior contacts the Internet through a local ISP at its current 
location and seeks contact with the secure network segment in which broadcast 
packets are expected to occur. At step 301 the distant host initiates the setting up of 
a network connection, and as a consequence thereof contacts the local ISP at step 
302. At step 303 the local ISP provides the distant host with a temporary IP address, 
20 which it communicates to the distant host at step 304. Using this IP address and the 
connectivity services of the local ISP the distant host contacts the security router or 
security gateway of the secure network segment at step 305. An SA is set up 
between the security router or security gateway and the distant host at step 306. At 
t step 307 the security router or security gateway allocates an internal IP address for 

I 25 the distant host (internal meaning internal ta the secure network segment), which 
internal IP address is communicated to the distant host at step 308. At step 309 the 
distant host sets up a virtual network connection that uses the internal IP address it 
received. Up to this point the procedure may follow completely known measures; 
the present invention is not yet required to be involved. 

0 '\ % 30 

e » 

At step 310 a broadcast originator in the secure network segment transmits a 
broadcast packet, so that the security router or security gateway is among the 
^/ devices that receive said broadcast packet. At step 311 the security router or 
security gateway duplicates the broadcast packet and encapsulates it so that it can be 
35 transmitted through an SA to the distant host. The transmission or "relaying" of the 
encapsulated broadcast packet takes place at step 3 12. 
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Fig. 4 illustrates briefly what happens at the step where a security gateway or a 
security router encapsulates a broadcast packet according to one part of the present 
invention for enabling its transmission through an SA to a wireless or distant host. 
Before encapsulation the packet is a normal IP packet, comprising an IP header 401, 
5 a payload field 402 and possibly some other fields 403. The IP header 401 
comprises, among other values, the network broadcast address as a destination 
address value. Simple IPsec processing would preserve the original IP header and 
add a security header (an AH header or ESP header, where AH means 
Authentication Header and ESP means Encapsulating Security Payload) between 
10 the header and a payload field. Such processing is not applicable here, because the 
network broadcast address within the original IP header is not suitable for 
authenticating. Instead, the packet is transformed so that a new IP header 411 is 
added to the beginning of the packet, followed by the security header 412, the 
original IP header 413, the payload field 414 and the other fields 415, if they exist. 
15 The address values in the new IP header 411 are selected so that they match with 
the authenticated addresses of the endpoints of the SA through which the 
encapsulated broadcast packet is to be transmitted. Encryption of fields 413, 414 
and 415 in the encapsulated packet is performed as per the definitions of the applied 
IPsec protection. 

20 

In the cases described so far we have assumed that the originator of the broadcast 
packet is connected directly to the secure, wired part of the logical network segment 
where broadcast packets occur. This is not necessarily true, since both wireless 
hosts - having a wireless, IPsec-protected direct connection to the secure network - 
j 25 and distant hosts that have IPsec-protected access the secure network through an 
insecure intermediate network may need to transmit broadcast packets as well. Fig. 
I 5 illustrates how the invention is applied in such a case. 

Fig. 5 is most readily applicable to a situation where two wireless hosts have IPsec- 
J 30 protected wireless connections to a security gateway, which is also a node of the 
secure wired network having wired hosts connected thereto. Steps 501 and 502 
show how said wireless hosts have set up, at some previous moment, SAs between 
themselves and the security gateway. At step 503 one of the wireless hosts decides 
to transmit a broadcast packet, which is composes according to known measures. 
r 35 However, the wireless host cannot just transmit the broadcast packet to the security 
I gateway through an SA because of authentication reasons that have already been 
described. Therefore the wireless host encapsulates the broadcast packet at step 504 
so that it can thereafter transmit it to the security gateway at step 505. It should be 
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noted that even if the packet itself is destined further (i.e. to all hosts in the logical 
network segment) than the security gateway, steps 504 and 505 only aim at 
transmitting it through an SA the endpoint of which is at the security gateway. 
IPsec-based protective processing keeps any potential other wireless hosts within 
5 range from noticing that actually a broadcast packet came through the air - 
therefore the quotation marks around the word "broadcast" at step 505. 

At step 506 the security gateway decapsulates the packet it received from the first 
wireless host and recognizes the content as including a broadcast packet. At step 

10 507 it forwards the broadcast packet as it is into the wired part of the logical 
network segment. Additionally it must ensure that other such hosts that employ 
IPsec receive the broadcast. Therefore the security gateway duplicates the broadcast 
packet at step 508 into as many copies as there are other wireless hosts online at the 
moment, and encapsulates each copy appropriately so that it can be transmitted to 

15 the wireless host in question. At step 509 the security gateway relays the re- 
encapsulated broadcast packet(s) to all other wireless hosts than that from which the 
packet originally came from. 

Only certain nuances of the procedure change if we consider cases where at least 
20 one of the IPsec-using hosts is a distant host communicating through an unsecure 
wired network or where there are at least two security gateways for wireless 
connections in the same network. If there are involved a first security gateway for 
wireless connections and a separate second security gateway or security router for 
distant connections or wireless connections in a separate location, the functionality 
25 shown in a single "router or gateway" column in fig. 5 is split into two: one device 
receives the original encapsulated broadcast packet from the originator host and 
performs the decapsulating and forwarding functions, while the other receives the 
forwarded broadcast packet and performs the re-encapsulating and relaying 
functions. 

30 

It should be noted that certain types of packets may exist that could be considered as 
broadcast packets but the handling of which should nevertheless be different than 
what has been described above. Let us assume that a wireless host wants to 
broadcast an ARP request where it inquires the machine address of the security 
35 gateway or some other host that is "behind" the security gateway in the sense that 
the latter acts as an ARP proxy on behalf of the host in question. When the security 
gateway has decapsulated the ARP request packet, it notices that this is something 
that it can respond to exhaustively all by itself. In that case it does not need to 
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forward the packet any further despite of its basic nature as a broadcast packet. It 
may respond directly to the host that sent the ARP request packet. 

A special case could be considered where there is no "secure wired part" of a 
5 logical network segment at all, meaning that in no part of even the wired network 
can security be guaranteed and consequently IPsec must be employed in all 
connections. It is completely possible to use IPsec in a fabric-like network 
architecture where each node can communicate direcdy with each other node; it is 
then only required that separate SAs are set up for every peer-to-peer connection in 
10 the network. Hoever, the present invention does not work in such an environment 
unless at least one of two conditions is met. The first of these is that the network 
architecture is not completely fabric-like after all but there is a central node in the 
network that knows how to receive a broadcast packet (encapsulated and through an 
SA) from its originator and how to de-encapsulate, duplicate and re-encapsulate the 
15 broadcast packet so that the central node can further relay the broadcast packets to 
all other devices in the logical network segment. The second possibility is that every 
node in the network is by itself able to convert the conventional procedure of 
releasing a broadcast packet into one where a number of SAs are successively set up 
between the originator and all other hosts in the logical network segment for 
20 transmitting a copy of the broadcast packet to every receiving device in turn. 

Fig. 6 illustrates the application of the invention in a case where a logical network 
segment 601 consists of three different physical networks 611, 621 and 631, the 
connections between which go through an intermediate network 641 that does not 
25 belong to the logical network segment 601. The physical networks 61 1, 621 and 63 1 
can also be designated as subnets. As a practical example we may consider that the 
logical network segment 601 is a corporate LAN of a company that occupies three 
different buildings. Connections between the buildings go through the public 
Internet and require IPsec protection, while within each physical network 611, 621 
30 and 63 1 (inside the walls of each building) plaintext communication is allowed. For 
setting up and maintaining the protected connections between the subnets 611, 621 
and 63 1 there is a security gateway or security router at each of them. In fig. 6 these 
appear as the border routers 612, 622 and 632 respectively. The hosts that belong to 
each subnet are designated as 613 and 614; 623 and 624; as well as 633 and 634 
35 respectively. 

u o 
u o o 
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\ j ■ In order to fulfil their task of securely connecting the different subnets into a single 
logical network segment the security routers 612, 622 and 632 routinely maintain 
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SAs between themselves. When now one of the host transmits a broadcast packet 
that should be distributed to all hosts of the logical network segment, the broadcast 
packet first appears in the subnet where the transmitting host is located. The 
security router of that subnet receives the broadcast packet, encapsulates it 
5 appropriately and transmits it to the other security routers through the SAs. Each 
receiving security router decapsulates the packet, recognizes it to be a broadcast 
packet and broadcasts it within the subnet in question. 

Fig. 7 illustrates a combination of many features that have been separately discussed 
10 above. A logical network segment 701 consists of several physically separate 
subnets, of which first and second subnets 710 and 720 are wired subnets, a third 
subnet 730 is a wireless subnet and a fourth subnet 740 is a virtual subnet where 
distant hosts are made to logically appear as hosts of the logical network segment 
701. Security gateways 711, 721, 731 and 741 couple the various subnets to each 
15 other with connections that go through an inherently unsafe outside network 705. In 
the first subnet 710 hosts 712 and 713 are directly connected to the security gateway 
711; similarly in the second subnet 720 hosts 722 and 723 are directly connected to 
the security gateway 721. In the third subnet 730 wireless hosts 732 and 733 have 
wireless connections to the corresponding security gateway 731, and in the fourth 
20 (virtual) subnet 740 the logical appearances 742' and 743' of certain hosts are seen 
to have connections to a security gateway 741. Actually the hosts 742 and 743 are 
located somewhere within the unsafe outside network 705, and connections from 
them to the security gateway 741 go through the server 706 of an ISP somewhere in 
the Internet. 

25 

Fig. 8 shows a chain of events that is related to the incident of a distant host 
transmitting a broadcast type packet in the logical network segment 701 illustrated 
in fig. 7. At the top left part of fig. 8 the distant hosts log in into the logical network 
segment 701. Regarding host 742, the associated steps are initiating 801 a 
30 connection, contacting 802 an ISP 706, allocation 803 of a temporary IP address at 
■Yi the ISP 706, communicating 804 the allocated temporary IP address to the host 742, 
>° Y contacting 805 the security gateway 741, setting up 806 an SA between the host 742 
and the security gateway 741, allocating 807 a virtual IP address internal to the 

Cj u <■' 

address space of the logical network segment, communicating 808 the allocated 
35 virtual IP address to the host 742 and setting up 809 a virtual IP connection at the 
sYz host 742. Regarding host 743 the same operations are performed at steps 811, 812, 
: Vj: 813, 814, 815, 816, 817, 818 and 819 respectively. 
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The various security gateways must also have set up SAs between themselves; this 
is shown in fig. 8 as steps 821, 822, 823, 824, 825 and 826. Additionally the 
wireless hosts 732 and 733 in the wireless subnet must set up SAs between them 
and the wireless security gateway 73 1 . Setting up the wireless SAs is shown in fig. 
5 8 as steps 827 and 828. 

At step 83 1 a distant host 742 composes a broadcast packet. It cannot transmit it as 
such, so it encapsulates it at step 832 for transmission 833 over an appropriate SA to 
the security gateway 741. At step 834 the security gateway decapsulates the packet 
10 and notices that it is a broadcast packet on its way to all other devices in the logical 
network segment 701. There are only IPsec-protected connections from the security 
gateway 741 to the other parts of the logical network segment 701, so recognizing 
the packet as a broadcast packet triggers a series of re-encapsulation and 
transmission operations. The order in which the forwarding to the other parts of the 
15 network is performed is not important. As an example, in fig. 8 the security gateway 
741 first re-encapsulates 835 and transmits 836 the broadcast packet to the other 
distant host 743, which subsequently re-decapsulates the packet at step 837. 

Other re-encapsulation and transmission operations follow at the security gateway 
20 741: to the wireless security gateway 731 at steps 838 and 839, to the first wired 
security gateway 711 at steps 840 and 841, and to the second wired security 
gateway 721 at steps 842 and 843. The last-mentioned device re-decapsulates the 
broadcast packet at step 844 and forwards it as a single broadcast-type transmission 

845 to the hosts 722 and 723 in the corresponding subnet. Similar re-decapsulating 
25 and forwarding operations take place at the first wired security gateway 71 1 at steps 

846 and 847. At the wireless security gateway 731 there is a re-decapsulating 
operation at step 848, but the wireless security gateway 73 1 cannot simply forward 
the broadcast packet in a single transmission. Instead, it performs a second re- 
encapsulation at step 849 before transmitting 850 the packet to the first wireless 

30 host 732, which then again decapsulates the packet at step 851. Regarding the 
second wireless host 733 similar second re-encapsulating 852, transmitting 853 and 
*° second decapsulating 854 take place. 

o .i o 

"ill Fig. 9 illustrates a method according to an embodiment of the invention: the method 

4 - 35 in question is meant to be executed by a security gateway that may have protected 
-Y'o and/or unprotected connections to other devices of a logical network segment and 
/' > that should be able to handle broadcast packets. An IPsec-capable security gateway 
is expected to constantly maintain SAs to hosts that are online, as well as to keep a 



o o o 



15 

list of such hosts. The operation according to the method in fig. 9 begins when the 
security gateway receives a packet either from an unprotected connection according 
to step 901 or from a protected connection according to step 902, in which latter 
case there is the inevitable decapsulating step 903. At step 904 the security gateway 
5 examines, whether the received packet was a broadcast packet. If not, the packet 
will be processed in some other way. In a positive case the security gateway checks 
at step 905, whether it has any unprotected connections into which it should forward 
the broadcast packet; naturally if the broadcast packet came through an unprotected 
connection, the security gateway will not transmit it again into the same connection. 
10 If appropriate unprotected connections are found, the security gateway forwards the 
packet into such connections at step 906. A negative finding at step 905 leads 
directly to step 907. 

At step 907 the security gateway checks, whether it has any protected connections 
15 into which it should forward the broadcast packet. Again if the broadcast packet 
originally came through a protected connection, the security gateway will not 
transmit it again into the same connection. The number of protected connections 
into which the broadcast packet must be transmitted is obtained from the ever- 
updated list of such connections. At step 908 the security gateway initializes a 
20 counter N, after which it circulates the loop of encapsulating the broadcast packet 
for transmission at step 909, transmitting the encapsulated packet at step 910, 
checking the counter value at step 911 and increasing the counter value by one if 
needed at step 912, until the check at step 911 shows that all protected connections 
have been dealt with. An end state 913 follows; a direct jump to the end state 913 is 
25 also possible from step 907 if it is found- there that no protected connections 
currently exist into which the packet should be transmitted. 

Fig. 10 illustrates a method to be executed by a host that may have either a 
protected or an unprotected network connection. When an upper layer application 
30 commands the transmission of a broadcast packet, the host checks first at step 1001, 
whether the current network connection is protected or not. If the network 
' °t connection is unprotected, transmission of the broadcast packet proceeds according 
to known methods at step 1002. If, however, the network connection is found to be 
protected, the host encapsulates the broadcast packet at step 1003 for transmission 
- 35 over a protected connection, and transmits the encapsulated packet at step 1004. A 
sYs broadcasting accomplished state 1005 follows either step 1004 or step 1002. 
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Certain special cases need to be considered. One of them is the situation of fig. 11, 
where a logical network segment 1101 is extended to cover a separately located 
physical subnet 1 102 so that there is a wireless connection between the subnet 1 102 
and the rest of the logical network segment, and additionally the subnet 1102 
5 comprises wireless hosts. As an example we may think that the subnet 1102 is 
located in a rail car, while the basic parts of the logical network segment 1101 are 
stationary. A first wireless gateway 1 1 1 1 is located in (or has a protected connection 
to) the stationary part of the logical network segment, and a second wireless 
gateway 1112 acts both as the common long distance transceiver of the whole rail 
10 car and as the local short-distance base station and network hub within the subnet 
1 102. Two wireless hosts 1113 and 1 1 14 are shown in fig. 11. 

Transmitting broadcast packets according to the invention in the arrangement of fig. 
11 requires the chaining of two encapsulation - decapsulation rounds. If the 

15 broadcast packet originated within the fixed part 1101 of the logical network 
segment, the first wireless gateway 1111 encapsulates it first for transmission to the 
second wireless gateway 1112. The latter decapsulates the packet only to find out 
that it is a broadcast packet. Thereafter the second wireless gateway 1112 re- 
encapsulates and transmits the packet as many times as there are currently hosts 

20 online within the subnet 1102. In the other direction if the originator of the 
broadcast packet was one of the wireless hosts 1113 and 1114, the originator host 
encapsulates the broadcast packet for the first time before transmitting it to the 
second wireless gateway 1112. Again the last-mentioned decapsulates the packet 
only to find out that it is a broadcast packet, and re-encapsulates and transmits the 

25 packet as many times as there are currently other hosts online within the subnet 
1 102. Additionally the second wireless gateway 1 1 12 re-encapsulates and transmits 
the packet to the first wireless gateway 1111, which decapsulates it and takes care 
of forwarding it as an ordinary broadcast packet into the fixed part 1101 of the 
logical network segment. 

30 
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Another special case concerns fig. 12, where a first device 1201 and a second 
on \ device 1202 have multiple currently active SAs 1211, 1212, 1213 and 1214 existing 

between them. If we now suppose that one of the devices 1201 and 1202 should 
^ ° relay a broadcast packet to the other, how should it select the SA through which the 

'uu« J 35 broadcast packet should be transmitted in encapsulated form? There are basically 
sYs two possible solutions that differ in the basic viewpoint of which of the devices 

o o 

„ w % s should contain more intelligence. The first alternative is to assume that every device 
that encapsulates broadcast packets for relaying is capable of selecting exactly one 



(J O U 

o o 

•J ^> O 
it o 
,j <> 

o o o 



o o 
o t: is 



17 

SA from each "bunch" of SAs that have the same destination. It is easy as such to 
provide a set of rules for performing such a selection: for example we may define 
that the transmitting device should always select that SA that is oldest (or newest) in 
the sense that it was established the longest (or shortest) time ago. Or we may 
5 utilize the fact that every SA has a well-defined lifetime either in time or in byte 
count or both, and state that always that SA should be selected that has more (or 
less) of its lifetime left than any other currently existing SA. Or we may simply 
state that the transmitting device should always select that SA that is encountered 
first (or last) on a list of SAs to a certain receiving device. Or we may allow the 
10 transmitting device to pick the SA at random. The only thing to watch out for is that 
the selected SA really terminates at the intended receiving device. It is well known 
that SAs may be nested within each other so that even if a certain outer SA 
terminates at a certain other device, an inner SA therewithin may continue further 
from that other device to yet another device. 

15 

The second basic alternative is to allow the transmitting device to ignore the fact 
that some of it currently active SAs actually terminate at a same receiving device. 
As a consequence the transmitting device simply duplicates, encapsulates and 
transmits the broadcast packet into each and every outgoing SA that is only known 

20 to terminate at a device that belongs to the logical network segment within which 
the broadcast packet is circulating. It is then on the responsibility of the receiving 
device to note that it may receive copies of the same broadcast packet through 
different incoming SAs. Again the practical implementation is simple as such: it is 
easy to make a receiving device store all received broadcast packets into a 

25 temporary buffer, so that it may compare a received broadcast packet to the contents 
of the buffer and to ignore all such received broadcast packets for which an exact 
copy already exists in the buffer. However, the first basic alternative is regarded as 
the more advantageous one, because it helps to avoid unnecessary delays that could 
result from superfluous duplicating and encapsulating at a security gateway. 

30 Additionally bandwidth is often scarce at a wireless interface, and transmitted byte 
count may be a basis for charging, so it is usually best to avoid unnecessary 
transmissions. 



I We will conclude by describing certain device embodiments of the invention. Fig. 

o 

35 13 illustrates a computer device 1301 where a higher layers component 1302 
schematically includes all such functionality that in the seven-layered OSI (Open 
j= Systems Interconnection) model are located at the IP layer or higher. We may 
assume that the computer device 1301 is a security gateway or an intelligent 
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security router according to an embodiment of the invention. From the higher layers 
component 1302 there are two IP-based connections to other computer devices: one 
through a first IPsec component 131 1 and the lower layers 1312 that are known to 
be used below the IP level, and the other through a second IPsec component 1321 
5 and the lower layers 1322 that are known to be used below the IP level. In practice 
even security gateway devices seldom have more than one network interface where 
IPsec is enabled, because the "internal" network interface connects the security 
gateway to a secure internal network where IPsec is not needed. The double IPsec 
approach is shown in fig. 13 for the purpose of completeness and to emphasize the 
10 fact that IPsec must be used whenever security must be provided to IP-based data 
communication. In the following we will only describe the leftmost interface in fig. 
13. 

According to the requirements of the IPsec standard, each interface where IPsec is 
15 enabled must have certain databases associated with the IPsec component. These 
databases include a Security Policy Database (SPD) and a Security Association 
Database (SAD), which additionally must differentiate between inbound and 
outbound data traffic because of the directionality of many parameters associated 
with the SAs. In fig. 13 the IPsec component 1311 is shown to have an outbound 
20 database block 1313 and an inbound database block 1314, each of which has an 
SPD part and an SAD part. For the purposes of the present invention the SAD part 
is the most important, because it provides the information about the SAs into which 
transmitted, encapsulated broadcast packets must be directed. 

25 As a part of the higher layers component 1302 there is shown a broadcast packet 
handler 1350 that includes handling functions 1351 and 1352 for received and 
transmitted broadcast packets respectively. A major component of the received 
broadcast packets handling functions 1351 is a packet forwarder 1353 that is 
arranged to forward received broadcast packets to the applications that use these 

30 packets as well as to the transmitted broadcast packets handling functions 1352 to 
be transmitted further in encapsulated form into SAs. For the latter purpose the 
transmitted broadcast packets handling functions 1352 include a duplicator 1354 the 
task of which is to duplicate the broadcast packets for encapsulation into different 
SAs. An RX/TX interface 1355 forwards received broadcast packets both from 

35 IPsec-protected and from unprotected network interfaces to the broadcast packets 
handling functions 1351; it also forwards broadcast packets to be transmitted from 
the transmitted broadcast packets handling functions 1352 to IPsec-protected and 
unprotected network interfaces as required. A network address interface 1356 
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provides the handling functions 1351 and 1352 with the necessary information 
about currently valid network addresses. An applications interface 1357 forwards 
received broadcast packets to applications and conveys broadcast packet 
transmission orders from applications to the transmitted broadcast packets handling 
5 functions 1352. 

A host implementation would be similar to that described above, with the exception 
that hosts very seldom have more than one network interface, which means that the 
lower right part within block 1301 (blocks 1321 and 1322 as well as the associated 
10 databases) can be ignored. 
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Claims 

1. A method for handling a broadcast packet in a gateway computer (131, 132, 
612, 622, 632, 711, 721, 731, 741, 1111, 1112, 1301) that has an IPsec-protected 
connection to a part (121, 122, 141, 732, 733, 742, 743, 1113, 1114) of a logical 

5 network segment (101, 601, 701, 1101) within which the broadcast packet should be 
distributed, wherein the IPsec protection specifies, what kinds of packets are 
acceptable for transmission over the IPsec-protected connection, characterized in 
that the method comprises the steps of: 

-encapsulating (204, 311, 508, 835, 838, 840, 842, 849, 852, 909) the broadcast 
10 packet into a form that is acceptable for transmission over the IPsec-protected 
connection and 

-transmitting (205, 206, 312, 509, 836, 839, 841, 843, 850, 853, 910) the 
encapsulated broadcast packet to the part of the logical network segment through 
the IPsec-protected connection. 

15 

2. A method according to claim 1, characterized in that it comprises the steps 
of: 

-duplicating (204, 311, 508, 835, 838, 840, 842, 849, 852, 909) the broadcast 
packet into as many copies as there are IPsec-protected connections from the 
20 gateway computer (131, 132, 612, 622, 632, 711, 721, 731, 741, 1111, 1112, 1301) 
to such parts of the logical network segment (101, 601, 701, 1101) to which the 
broadcast packet should be transmitted, and 

- repeating said encapsulating and transmitting steps in respect of every duplicated 
copy of the broadcast packet, so that at each repetition a duplicated copy of the 
-c 25 broadcast packet is encapsulated into a form that is acceptable for transmission over 
an IPsec-protected connection to a part to which it was not yet transmitted and from 
which the broadcast packet was not received, and thereafter such an encapsulated 
broadcast packet is transmitted to such a part. 
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30 3. A method according to claim 2, characterized in that the step of duplicating 
(204, 311, 508, 835, 838, 840, 842, 849, 852, 909) the broadcast packet comprises 
the substeps of: 

- in case there exists a bunch of currently existing IPsec-protected connections 
(1211, 1212, 1213, 1214) that begin at the gateway computer and end at a certain 

35 same receiving device, which is part of the logical network segment, selecting only 
one IPsec-protected connection from each such bunch and 

- refraining from duplicating the broadcast packet into more than one copy per 
bunch; 
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so that from the gateway computer to said certain receiving device an encapsulated 
copy of the broadcast packet is only transmitted through the selected IPsec- 
protected connection. 

4. A method according to claim 1, characterized in that comprises the steps of: 

- checking (905), whether there are such unprotected connections from the gateway 
computer to parts of the logical network segment within which the broadcast packet 
should be distributed, from which unprotected connections the broadcast packet was 
not received to the gateway computer, and 

- if such unprotected connections are found, transmitting (906) the broadcast packet 
as such to those unprotected connections; 

5. A method according to claim 1, characterized in that the encapsulating step 
comprises adding new headers (411, 412) to the broadcast packet, which new 
headers include a new IP header (411) and a security header (412), of which the 
new IP header (411) identifies an endpoint of the IPsec-protected connection as the 
intended destination of the encapsulated broadcast packet and the security header 
(412) conforms to security features of the IPsec protection. 

6. A method for transmitting a broadcast packet from a host computer (121, 122, 
141, 732, 733, 742, 743, 1113,11 14, 1301), which host computer is part of a certain 
logical network segment (101, 601, 701, 1101) within which the broadcast packet 
should be distributed and has an IPsec-protected connection to another part (131, 
132, 612, 622, 632, 711, 721, 731, 741, 1111, 1112) of the logical network segment, 
wherein the IPsec protection specifies, what kinds of packets are acceptable for 
transmission over the IPsec-protected connection, characterized in that the method 
comprises the steps of: 

- encapsulating (504, 832) the broadcast packet into a form that is acceptable for 
transmission over the IPsec-protected connection and 

- transmitting (505, 833) the encapsulated broadcast packet to the other part of the 
logical network segment through the IPsec-protected connection. 

7. A method according to claim 6, characterized in that the encapsulating step 
comprises adding new headers (411, 412) to the broadcast packet, which new 
headers include a new IP header (411) and a security header (412), of which the 
new IP header (411) identifies an endpoint of the IPsec-protected connection as the 
intended destination of the encapsulated broadcast packet and the security header 
(412) conforms to security features of the IPsec protection. 
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8. A method according to claim 6, characterized in that the step of 
encapsulating the broadcast packet comprises the substeps of: 

- in case there exists a bunch of currently existing IPsec-protected connections 
(1211, 1212, 1213, 1214) that begin at the host computer and end at a certain same 
receiving device, which is part of the logical network segment, selecting only one 
IPsec-protected connection from such bunch and 

- encapsulating the broadcast packet into a form that is acceptable for transmission 
over just the selected IPsec-protected connection. 

9. A method for conveying a broadcast packet from a first part (102, 611, 621, 
623, 710, 720, 730, 740, 1101) of a logical network segment (101, 601, 701, 1101), 
within which the broadcast packet should be distributed, to a second part (102, 61 1, 
621, 623, 710, 720, 730, 740, 1101) of the same logical network segment that has an 
IPsec-protected connection to the first part, wherein the IPsec protection specifies, 
what kinds of packets are acceptable for transmission over the IPsec-protected 
connection, characterized in that the method comprises the steps of: 
-encapsulating (204, 311, 504, 508, 832, 835, 838, 840, 842, 849, 852, 909) the 
broadcast packet within the first part of the logical network segment into a form that 
is acceptable for transmission over the IPsec-protected connection, 

- transmitting (205, 206, 312, 505, 509, 833, 836, 839, 841, 843, 850, 853, 910) the 
encapsulated broadcast packet to the second part of the logical network segment 
through the IPsec-protected connection and 

- decapsulating (506, 844, 846, 851, 854) the transmitted encapsulated broadcast 
packet at the second part of the logical network segment. 

10. A gateway computer (131, 132, 612, 622, 632, 711, 721, 731, 741, 1111, 
1112, 1301) for offering another computer device an IPsec-protected connection to 
and from a logical network segment (101, 601, 701, 1101) within which the 
distribution of broadcast packets is allowable, wherein the IPsec protection is 
arranged to specify, what kinds of packets are acceptable for transmission over an 
IPsec-protected connection, characterized in that the gateway computer comprises: 
-means (1311, 1321) for encapsulating a broadcast packet into a form that is 
acceptable for transmission over an IPsec-protected connection and 

- means (13 12, 1322) for transmitting the encapsulated broadcast packet to the other 
computer device through an IPsec-protected connection. 
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11. A gateway computer according to claim 10, characterized in that it 
comprises: 

- a first network interface (1322) for connecting the gateway computer to a logical 
network segment comprising several computer devices, 

5 -a second network interface (1312) for connecting the gateway computer to 
individual hosts for the purpose of making such individual hosts appear as parts of 
the logical network segment, 

- an IPsec component (1311) coupled to the second network interface (1312) for 
implementing IPsec protection within connections through said second network 

10 interface, and 

- a broadcast packet handler component (1350); 

wherein the broadcast packet handler component is arranged to: 

- receive (1355) broadcast packets from either of the first (1322) and second (13 12) 
network interfaces, 

15 - forward (1353) received broadcast packets to application layer entities (1302) in 
the gateway computer, 

- forward (1353) broadcast packets received from the first network interface (1322) 
towards the second network interface (1312), 

-forward (1353) broadcast packets received from the second network interface 
20 (13 12) towards the first network interface (1322), 

- forward (1353) broadcast packets from application layer entities (1302) in the 
gateway computer towards the first and second network interfaces, and 

- instruct the IPsec component (13 1 1) regarding protected transmission of broadcast 
packets through the second network interface. 

25 

12. A gateway computer according to claim 11, characterized in that the 
broadcast packet handler component (1350) is additionally arranged to receive 
information (1355) from the IPsec component (1311) regarding the number and 
endpoints of currently existing IPsec-protected connections through the second 

3 0 network interface. 

13. A host computer (121, 122, 141, 732, 733, 742, 743, 1113, 1114, 1301), 
comprising means (1311, 1312) for establishing an IPsec-protected connection to 
and from a gateway computer of a logical network segment within which the 

35 distribution of broadcast packets is allowable, wherein the IPsec protection is 
arranged to specify, what kinds of packets are acceptable for transmission over the 
IPsec-protected connection, characterized in that the host computer comprises: 
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- means (1311) for encapsulating a broadcast packet into a form that is acceptable 
for transmission over the IPsec-protected connection and 

-means (1312) for transmitting the encapsulated broadcast packet to the gateway 
computer through the IPsec-protected connection. 

5 

14. A host computer according to claim 13, characterized in that it comprises: 

-a network interface (1312) for connecting the host computer to a gateway 
computer, 

-an IPsec component (1311) coupled to the network interface (1312) for 
10 implementing IPsec protection within connections through said network interface, 
and 

- a broadcast packet handler component (1350); 

wherein the broadcast packet handler component is arranged to: 

- receive (1355) broadcast packets from the network interface, 

15 - forward (1353) received broadcast packets to application layer entities (1302) in 
the host computer, 

- forward (1353) broadcast packets from application layer entities (1302) in the host 
computer towards the network interface (1312), and 

- instruct the IPsec component (1311) regarding protected transmission of broadcast 
20 packets through the network interface. 

15. A gateway computer according to claim 14, characterized in that the 
broadcast packet handler component (1350) is additionally arranged to receive 
(1355) information from the IPsec component (1311) regarding the number and 

25 endpoints of currently existing IPsec-protected connections through the network 
interface. 

16. A computer program product comprising a computer readable medium, having 
thereon: computer program code means, when said program is loaded, to make the 

30 computer execute procedures to encapsulate a broadcast packet into a form that is 
acceptable for transmission over an IPsec-protected connection; and transmit the 
encapsulated broadcast packet a part of a logical network segment different than the 
computer itself through an IPsec-protected connection. 

35 17. A computer program element comprising: computer program code means to 
make the computer execute a procedure to encapsulate a broadcast packet into a 
form that is acceptable for transmission over an IPsec-protected connection; and 
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transmit the encapsulated broadcast packet a part of a logical network segment 
different than the computer itself through an EPsec-protected connection. 

18. A computer program element as claimed in claim 17 embodied on a computer 
readable medium. 

19. A computer readable medium, having a program recorded thereon, where the 
program is to make the computer execute procedures to encapsulate a broadcast 
packet into a form that is acceptable for transmission over an EPsec-protected 
connection; and transmit the encapsulated broadcast packet a part of a logical 
network segment different than the computer itself through an IPsec-protected 
connection. 

20. A computer program product directly loadable into the internal memory of a 
digital computer, comprising software code portions for performing the steps of 
claim 19 when said product is run on a computer. 

21. A computer program product stored on a computer usable medium, 
comprising: computer readable program means for causing a computer to perform 
the steps of claim 19 when said product is run on a computer. 
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Abstract 



A method and devices are provided for handling a 
broadcast packet in a computer (131, 132, 612, 622, 632, 
711, 721, 731, 741, 1111, 1112, 1301) that has an IPsec- 
protected connection to a part (121, 122, 141, 732, 733, 
742, 743, 1113, 1114) of a logical network segment (101, 
601, 701, 1101) within which the broadcast packet should 
be distributed. The IPsec protection specifies, what kinds of 
packets are acceptable for transmission over the IPsec- 
protected connection. The broadcast packet is encapsulated 
(204, 311, 508, 835, 838, 840, 842, 849, 852, 909) into a 
form that is acceptable for transmission over the IPsec- 
protected connection. It is then transmitted (205, 206, 312, 
509, 836, 839, 841, 843, 850, 853, 910) to the part of the 
logical network segment through the IPsec-protected 
connection. 
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